CVE-2009-0478: Squid HTTP Version Remote DoS

Another bug for one of the most popular proxy servers out there. This was reported by Joshua Morin, Mikko Varpiola and Jukka Taimisto from the CROSS project to the Squid project and disclosed on 2 February 2009. The affected versions are listed in the published advisory. The following code snippets where ripped of 2.7 (Stable 5) branch of the Squid Caching server. The buggy function is located at src/HttpMsg.c. This source code file contains the main parsing routines for HTTP messages and it was originally written by Alex Rousskov. The vulnerable code can be found on this function:

159 int
160 httpMsgParseRequestLine(HttpMsgBuf * hmsg)
161 {

This function is responsible for parsing the request line of an HTTP message, the author is probably suspicious for some off-by-one errors too…

So, if you read it carefully you might end up with one or more nice 0days for Squid. Not bad… Not bad at all! Anyway, let’s examine the bug. An HTTP request line has the following format:

HTTP/1.0 200 OK

Where the first token represents the protocol/version and the proceeding number, the HTTP code returned plus its equivalent string. The version can be separated to major, which in this case is 1 and minor which is 0. Now, let’s move to httpMsgParseRequestLine() and see what happens there:

Here is the first vulnerability. The above code retrieves the major number. If it finds it, it multiplies it by 10 and then updates it until it either reaches the end of the request, or it finds something that it is not a digit. This means, that if we enter a negative number it will be inserted to maj which is a signed integer as defined at line 164. And when it reaches the assert(3) call at line 296 it will cause the following error:

Well, you can trigger this vulnerability simply by sending an HTTP request line that has a negative major and/or minor version number. It is no more than 10 lines of code in most programming languages. These bugs are really pissing me off. Most of my friends already know that for at least 2+ years I’m a big supporter of ilja’s opinion on assert(3) calls for production code which you can read at his blag. In addition to this, Squid is just full of assertions… Imagine, a crappy parsing like this can lead to a remote DoS.. How retarded is this?